xref: /freebsd/share/man/man7/firewall.7 (revision 1b6c76a2fe091c74f08427e6c870851025a9cf67) 
1.\" Copyright (c) 2001, Matthew Dillon.  Terms and conditions are those of
2.\" the BSD Copyright as specified in the file "/usr/src/COPYRIGHT" in
3.\" the source tree.
4.\"
5.\" $FreeBSD$
6.\"
7.Dd May 26, 2001
8.Dt FIREWALL 7
9.Os FreeBSD
10.Sh NAME
11.Nm firewall
12.Nd simple firewalls under FreeBSD
13.Sh FIREWALL BASICS
14A Firewall is most commonly used to protect an internal network
15from an outside network by preventing the outside network from
16making arbitrary connections into the internal network.  Firewalls
17are also used to prevent outside entities from spoofing internal
18IP addresses and to isolate services such as NFS or SMBFS (Windows
19file sharing) within LAN segments.
20.Pp
21The
22.Fx
23firewalling system also has the capability to limit bandwidth using
24.Xr dummynet 4 .
25This feature can be useful when you need to guarentee a certain
26amount of bandwidth for a critical purpose.  For example, if you
27are doing video conferencing over the internet via your
28office T1 (1.5 MBits), you may wish to bandwidth-limit all other
29T1 traffic to 1 MBit in order to reserve at least 0.5 MBits
30for your video conferencing connections.  Similarly if you are
31running a popular web or ftp site from a colocation facility
32you might want to limit bandwidth to prevent excessive band
33width charges from your provider.
34.Pp
35Finally,
36.Fx
37firewalls may be used to divert packets or change the next-hop
38address for packets to help route them to the correct destination.
39Packet diversion is most often used to support NAT (network
40address translation), which allows an internal network using
41a private IP space to make connections to the outside for browsing
42or other purposes.
43.Pp
44Constructing a firewall may appear to be trivial, but most people
45get them wrong.  The most common mistake is to create an exclusive
46firewall rather then an inclusive firewall.  An exclusive firewall
47allows all packets through except for those matching a set of rules.
48An inclusive firewall allows only packets matching the rulset
49through.  Inclusive firewalls are much, much safer then exclusive
50firewalls but a tad more difficult to build properly.  The
51second most common mistake is to blackhole everything except the
52particular port you want to let through.  TCP/IP needs to be able
53to get certain types of ICMP errors to function properly - for
54example, to implement MTU discovery.  Also, a number of common
55system daemons make reverse connections to the
56.Sy auth
57service in an attempt to authenticate the user making a connection.
58Auth is rather dangerous but the proper implementation is to return
59a TCP reset for the connection attempt rather then simply blackholing
60the packet.  We cover these and other quirks involved with constructing
61a firewall in the sample firewall section below.
62.Sh IPFW KERNEL CONFIGURATION
63To use the ip firewall features of
64.Fx
65you must create a custom kernel with the
66.Sy IPFIREWALL
67option set.  The kernel defaults its firewall to deny all
68packets by default, which means that if you do not load in
69a permissive ruleset via
70.Em /etc/rc.conf ,
71rebooting into your new kernel will take the network offline
72and will prevent you from being able to access it if you
73are not sitting at the console.  It is also quite common to
74update a kernel to a new release and reboot before updating
75the binaries.  This can result in an incompatibility between
76the
77.Xr ipfw 8
78program and the kernel which prevents it from running in the
79boot sequence, also resulting in an inaccessible machine.
80Because of these problems the
81.Sy IPFIREWALL_DEFAULT_TO_ACCEPT
82kernel option is also available which changes the default firewall
83to pass through all packets.  Note, however, that this is a very
84dangerous option to set because it means your firewall is disabled
85during booting.  You should use this option while getting up to
86speed with
87.Fx
88firewalling, but get rid of it once you understand how it all works
89to close the loophole.  There is a third option called
90.Sy IPDIVERT
91which allows you to use the firewall to divert packets to a user program
92and is necessary if you wish to use
93.Xr natd 8
94to give private internal networks access to the outside world.
95If you want to be able to limit the bandwidth used by certain types of
96traffic, the
97.Sy DUMMYNET
98option must be used to enable
99.Em ipfw pipe
100rules.
101.Pp
102.Sh SAMPLE IPFW-BASED FIREWALL
103Here is an example ipfw-based firewall taken from a machine with three
104interface cards.  fxp0 is connected to the 'exposed' LAN.  Machines
105on this LAN are dual-homed with both internal 10. IP addresses and
106internet-routed IP addresses.  In our example, 192.100.5.x represents
107the internet-routed IP block while 10.x.x.x represents the internal
108networks.  While it isn't relevant to the example, 10.0.1.x is
109assigned as the internal address block for the LAN on fxp0, 10.0.2.x
110for the LAN on fxp1, and 10.0.3.x for the LAN on fxp2.
111.Pp
112In this example we want to isolate all three LANs from the internet
113as well as isolate them from each other, and we want to give all
114internal addresses access to the internet through a NAT gateway running
115on this machine.  To make the NAT gateway work, the firewall machine
116is given two internet-exposed addresses on fxp0 in addition to an
117internal 10. address on fxp0: one exposed address (not shown)
118represents the machine's official address, and the second exposed
119address (192.100.5.5 in our example) represents the NAT gateway
120rendezvous IP.  We make the example more complex by giving the machines
121on the exposed LAN internal 10.0.0.x addresses as well as exposed
122addresses.  The idea here is that you can bind internal services
123to internal addresses even on exposed machines and still protect
124those services from the internet.  The only services you run on
125exposed IP addresses would be the ones you wish to expose to the
126internet.
127.Pp
128It is important to note that the 10.0.0.x network in our example
129is not protected by our firewall.  You must make sure that your
130internet router protects this network from outside spoofing.
131Also, in our example, we pretty much give the exposed hosts free
132reign on our internal network when operating services through
133internal IP addresses (10.0.0.x).   This is somewhat of security
134risk... what if an exposed host is compromised?  To remove the
135risk and force everything coming in via LAN0 to go through
136the firewall, remove rules 01010 and 01011.
137.Pp
138Finally, note that the use of internal addresses represents a
139big piece of our firewall protection mechanism.  With proper
140spoofing safeguards in place, nothing outside can directly
141access an internal (LAN1 or LAN2) host.
142.Bd -literal
143# /etc/rc.conf
144#
145firewall_enable="YES"
146firewall_type="/etc/ipfw.conf"
147
148# temporary port binding range let
149# through the firewall.
150#
151# NOTE: heavily loaded services running through the firewall may require
152# a larger port range for local-size binding.  4000-10000 or 4000-30000
153# might be a better choice.
154ip_portrange_first=4000
155ip_portrange_last=5000
156...
157.Ed
158.Pp
159.Bd -literal
160# /etc/ipfw.conf
161#
162# FIREWALL: the firewall machine / nat gateway
163# LAN0	    10.0.0.X and 192.100.5.X (dual homed)
164# LAN1	    10.0.1.X
165# LAN2	    10.0.2.X
166# sw:	    ethernet switch (unmanaged)
167#
168# 192.100.5.x represents IP addresses exposed to the internet
169# (i.e. internet routeable).  10.x.x.x represent internal IPs
170# (not exposed)
171#
172#   [LAN1]
173#      ^
174#      |
175#   FIREWALL -->[LAN2]
176#      |
177#   [LAN0]
178#      |
179#      +--> exposed host A
180#      +--> exposed host B
181#      +--> exposed host C
182#      |
183#   INTERNET (secondary firewall)
184#    ROUTER
185#      |
186#    [internet]
187#
188# NOT SHOWN:  The INTERNET ROUTER must contain rules to disallow
189# all packets with source IP addresses in the 10. block in order
190# to protect the dual-homed 10.0.0.x block.  Exposed hosts are
191# not otherwise protected in this example - they should only bind
192# exposed services to exposed IPs but can safely bind internal
193# services to internal IPs.
194#
195# The NAT gateway works by taking packets sent from internal
196# IP addresses to external IP addresses and routing them to natd, which
197# is listening on port 8668.   This is handled by rule 00300.  Data coming
198# back to natd from the outside world must also be routed to natd using
199# rule 00301.  To make the example interesting, we note that we do
200# NOT have to run internal requests to exposed hosts through natd
201# (rule 00290) because those exposed hosts know about our
202# 10. network.  This can reduce the load on natd.  Also note that we
203# of course do not have to route internal<->internal traffic through
204# natd since those hosts know how to route our 10. internal network.
205# The natd command we run from /etc/rc.local is shown below.  See
206# also the in-kernel version of natd, ipnat.
207#
208#	natd -s -u -a 208.161.114.67
209#
210#
211add 00290 skipto 1000 ip from 10.0.0.0/8 to 192.100.5.0/24
212add 00300 divert 8668 ip from 10.0.0.0/8 to not 10.0.0.0/8
213add 00301 divert 8668 ip from not 10.0.0.0/8 to 192.100.5.5
214
215# Short cut the rules to avoid running high bandwidths through
216# the entire rule set.  Allow established tcp connections through,
217# and shortcut all outgoing packets under the assumption that
218# we need only firewall incoming packets.
219#
220# Allowing established tcp connections through creates a small
221# hole but may be necessary to avoid overloading your firewall.
222# If you are worried, you can move the rule to after the spoof
223# checks.
224#
225add 01000 allow tcp from any to any established
226add 01001 allow all from any to any out via fxp0
227add 01001 allow all from any to any out via fxp1
228add 01001 allow all from any to any out via fxp2
229
230# Spoof protection.  This depends on how well you trust your
231# internal networks.  Packets received via fxp1 MUST come from
232# 10.0.1.x.  Packets received via fxp2 MUST come from 10.0.2.x.
233# Packets received via fxp0 cannot come from the LAN1 or LAN2
234# blocks.  We can't protect 10.0.0.x here, the internet router
235# must do that for us.
236#
237add 01500 deny all from not 10.0.1.0/24 in via fxp1
238add 01500 deny all from not 10.0.2.0/24 in via fxp2
239add 01501 deny all from 10.0.1.0/24 in via fxp0
240add 01501 deny all from 10.0.2.0/24 in via fxp0
241
242# In this example rule set there are no restrictions between
243# internal hosts, even those on the exposed LAN (as long as
244# they use an internal IP address).  This represents a
245# potential security hole (what if an exposed host is
246# compromised?).  If you want full restrictions to apply
247# between the three LANs, firewalling them off from each
248# other for added security, remove these two rules.
249#
250# If you want to isolate LAN1 and LAN2, but still want
251# to give exposed hosts free reign with each other, get
252# rid of rule 01010 and keep rule 01011.
253#
254# (commented out, uncomment for less restrictive firewall)
255#add 01010 allow all from 10.0.0.0/8 to 10.0.0.0/8
256#add 01011 allow all from 192.100.5.0/24 to 192.100.5.0/24
257#
258
259# SPECIFIC SERVICES ALLOWED FROM SPECIFIC LANS
260#
261# If using a more restrictive firewall, allow specific LANs
262# access to specific services running on the firewall itself.
263# In this case we assume LAN1 needs access to filesharing running
264# on the firewall.  If using a less restrictive firewall
265# (allowing rule 01010), you don't need these rules.
266#
267add 01012 allow tcp from 10.0.1.0/8 to 10.0.1.1 139
268add 01012 allow udp from 10.0.1.0/8 to 10.0.1.1 137,138
269
270# GENERAL SERVICES ALLOWED TO CROSS INTERNAL AND EXPOSED LANS
271#
272# We allow specific UDP services through: DNS lookups, ntalk, and ntp.
273# Note that internal services are protected by virtue of having
274# spoof-proof internal IP addresses (10. net), so these rules
275# really only apply to services bound to exposed IPs.  We have
276# to allow UDP fragments or larger fragmented UDP packets will
277# not survive the firewall.
278#
279# If we want to expose high-numbered temporary service ports
280# for things like DNS lookup responses we can use a port range,
281# in this example 4000-65535, and we set to /etc/rc.conf variables
282# on all exposed machines to make sure they bind temporary ports
283# to the exposed port range (see rc.conf example above)
284#
285add 02000 allow udp from any to any 4000-65535,domain,ntalk,ntp
286add 02500 allow udp from any to any frag
287
288# Allow similar services for TCP.  Again, these only apply to
289# services bound to exposed addresses.  NOTE: we allow 'auth'
290# through but do not actually run an identd server on any exposed
291# port.  This allows the machine being authed to respond with a
292# TCP RESET.  Throwing the packet away would result in delays
293# when connecting to remote services that do reverse ident lookups.
294#
295# Note that we do not allow tcp fragments through, and that we do
296# not allow fragments in general (except for UDP fragments).  We
297# expect the TCP mtu discovery protocol to work properly so there
298# should be no TCP fragments.
299#
300add 03000 allow tcp from any to any http,https
301add 03000 allow tcp from any to any 4000-65535,ssh,smtp,domain,ntalk
302add 03000 allow tcp from any to any auth,pop3,ftp,ftp-data
303
304# It is important to allow certain ICMP types through:
305#
306#	0	Echo Reply
307#	3	Destination Unreachable
308#	4	Source Quench (typically not allowed)
309#	5	Redirect (typically not allowed - can be dangerous!)
310#	8	Echo
311#	11	Time Exceeded
312#	12	Parameter Problem
313#	13	Timestamp
314#	14	Timestamp Reply
315#
316# Sometimes people need to allow ICMP REDIRECT packets, which is
317# type 5, but if you allow it make sure that your internet router
318# disallows it.
319
320add 04000 allow icmp from any to any icmptypes 0,5,8,11,12,13,14
321
322# log any remaining fragments that get through.  Might be useful,
323# otherwise don't bother.  Have a final deny rule as a safety to
324# guarentee that your firewall is inclusive no matter how the kernel
325# is configured.
326#
327add 05000 deny log ip from any to any frag
328add 06000 deny all from any to any
329.Ed
330.Sh PORT BINDING INTERNAL AND EXTERNAL SERVICES
331We've mentioned multi-homing hosts and binding services to internal or
332external addresses but we haven't really explained it.  When you have a
333host with multiple IP addresses assigned to it, you can bind services run
334on that host to specific IPs or interfaces rather then all IPs.  Take
335the firewall machine for example:  With three interfaces
336and two exposed IP addresses
337on one of those interfaces, the firewall machine is known by 5 different
338IP addresses (10.0.0.1, 10.0.1.1, 10.0.2.1, 192.100.5.5, and say
339192.100.5.1).  If the firewall is providing file sharing services to the
340windows LAN segment (say it is LAN1), you can use samba's 'bind interfaces'
341directive to specifically bind it to just the LAN1 IP address.  That
342way the file sharing services will not be made available to other LAN
343segments.  The same goes for NFS.  If LAN2 has your UNIX engineering
344workstations, you can tell nfsd to bind specifically to 10.0.2.1.  You
345can specify how to bind virtually every service on the machine and you
346can use a light
347.Xr jail 8
348to indirectly bind services that do not otherwise give you the option.
349.Sh SEE ALSO
350.Pp
351.Xr config 8 ,
352.Xr dummynet 4 ,
353.Xr ipfw 8 ,
354.Xr ipnat 1 ,
355.Xr ipnat 5 ,
356.Xr jail 8 ,
357.Xr natd 8 ,
358.Xr nfsd 8 ,
359.Xr rc.conf 5 ,
360.Xr samba 7 [ /usr/ports/net/samba ]
361.Xr smb.conf 5 [ /usr/ports/net/samba ]
362.Sh ADDITIONAL READING
363.Pp
364.Xr ipf 5 ,
365.Xr ipf 8 ,
366.Xr ipfstat 8
367.Sh HISTORY
368The
369.Nm
370manual page was originally written by
371.An Matthew Dillon
372and first appeared
373in
374.Fx 4.3 ,
375May 2001.
376